will this effect the file permissions set to each application files? On Mon, Oct 20, 2014 at 4:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 10/18/2014 04:27 AM, Tal Palant wrote: > > Hello all, > > > > i know that in the past there was an option/ability to assign a unique > > category for each application installed on the device. > > > > The rule will be something like this (i assume): > > > > "user=_app seinfo=release \ name=com.android.browser \ > domain=browser_app \ > > type=platform_app_data_file levelFrom=app" > > > > and levelForm=app will restrict it to the application itself and nothing > > more. > > > > But how do i automatically generate such rules in advanced for all the > > applications without knowing the applications that will be installed on > the > > device? > > > > Also will this rule be enough to block access to the specific application > > files? > > > > Thanks in advance, > > You can apply it to all non-system apps by adding levelFrom=app to the > user=_app domain=untrusted_app type=app_data_file line in > seapp_contexts, ala: > > user=_app domain=untrusted_app type=app_data_file levelFrom=app > > This would assign a unique category set to each such app, isolating each > app to accessing only its own files. > > However, this will break compatibility, which is why it is not in AOSP. > There we have recently uploaded a change to enable levelFrom=user (i.e. > per-user category sets) in order to isolate apps for one user from apps > for another user. We are not yet sure how well that will work in practice. > > > -- טל פולו פלנט כי שם כזה יש רק אחד
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
